Netinfo Security ›› 2015, Vol. 15 ›› Issue (5): 10-15.doi: 10.3969/j.issn.1671-1122.2015.05.002

Previous Articles     Next Articles

Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases

LI Wei1, LI Li-hui1,2(), LI Jia2, LIN Shen-wen2   

  1. 1. School of Computer Science , Beihang University , Beijing 100191, China
    2. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China
  • Received:2015-04-15 Online:2015-05-10 Published:2018-07-16

Abstract:

With the development of Internet technologies, network applications have also been better spread, and ensuring network security has become an urgent problem. Currently, the Trojan is one of the most serious threats to network security. The main methods of Trojan detection are characteristics-based Trojan detection and behavior-based Trojan detection. This paper analyzes the characteristics of the traffic behavior from the three communication stages of remote access Trojan. During establishing the connection, the Trojans have dynamic DNS behavior, and the PSH flag of TCP packet is set 1 when data is transferred, causing the number of PSH packets increasing. During command interaction , upload traffic and download traffic are asymmetrical, and the ratio of small packets is high. During keeping connection, the server sends keep-alive packets. This paper designs experiments to compare normal application traffic behavior with remote access Trojan traffic behavior on the above features, and analyze their similarities and differences, providing a basis for identifying the Trojan through traffic behavior characteristics.

Key words: remote access Trojan, traffic behavior, characteristics analysis, Trojan detection

CLC Number: